Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Hunt Intensifies for Botnet Command & Controls



 By: Ryan Naraine
2006-03-02
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


  Table of Contents:
  1. Hunt Intensifies for Botnet Command & Controls
  2. ' Page 2 '

Rate This Article:
Poor Best
Hunt Intensifies for Botnet Command & Controls
( Page 1 of 2 )

The never-ending search for the command-and-control infrastructure that powers zombie machines in botnets has been expanded with a new open mailing list and a call for increased public participation.

Operating under the theory that if you kill the head, the body will follow, a group of high-profile security researchers is ramping up efforts to find and disable the command-and-control infrastructure that powers millions of zombie drone machines, or bots, hijacked by malicious hackers.

The idea is to open up a new reporting mechanism for ISPs and IT administrators to report botnet activity, especially the C&C (command-and-control) system that remotely sends instructions to botnets.

A botnet, which is short for "robot network," is a collection of broadband-enabled computers that have been commandeered by hackers for use in spam runs, distributed denial-of-service attacks or malware installation.

The compromised machines are controlled by a "botmaster" via an IRC (Inter Relay Chat) server installed illegally on a high-bandwidth educational or corporate network.

Resource Library:

"If that command-and-control is disabled, all the machines in that botnet become useless to the botmaster. Its an important part of dealing with this problem," said Gadi Evron, a botnet hunter who helps to manage the anti-botnet fightback.

Evron, who serves as the Israeli CERT manager and is a leader in many global Internet security efforts, said the group includes representatives from anti-virus vendors, ISPs, law enforcement, educational institutions and dynamic DNS providers internationally.

Over the last year, the group has done its work quietly on closed, invite-only mailing lists. Now, Evron has launched a public, open mailing list to enlist the general public to help report botnet C&C servers.

The new mailing list will serve as a place to discuss detection techniques, report botnets, pass information to the relevant private groups and automatically notify the relevant ISPs of command-and-control sightings.

"The vetted lists will still do the bulk of the work, but we needed a public place to involve a wider audience," Evron said in an interview with eWEEK.

Anti-virus experts have detected signs of a massive, well-coordinated Trojan attack capable of creating botnets-for-hire. Click here to read more.

Dan Hubbard, senior director of security and technology research at San Diego-based Web filtering software firm Websense, said the threat from botnets should be high on a CIOs worry list. "Were seeing more and more bots being written for multiple use. They used to open a backdoor simply to send spam, but now were seeing bots logging keystrokes or pulling Web-surfing data to build personal identity profiles," Hubbard explained.

"The botnet has become a web of connections. Theyll send spam for a porn content site and when youre lured there, theyll use sophisticated redirects to bounce you around different sites rigged with exploit code. Its very organized around making money," he added.

He said Websense Web Security Suite Version 6.2 has been fitted with a new protection mechanism to sniff out bots and bot networks. "Bots and botnets are spreading like wildfire. Were working to control them, but its always a catch-up game," Hubbard said in an interview. "Even after you cut off the command-and-control, the machines in the botnet are still vulnerable to reinfection. In some cases, a single machine may belong to multiple botnets."

Roger Thompson, a veteran anti-virus researcher who runs the Atlanta-based Exploit Prevention Labs, said the vigilante approach to targeting botnet command-and-controls comes with upside and downside.

"The upside to these information-sharing efforts is that the right people get involved. We get the right information to law enforcement, which is really whats required," Thompson said.

Next Page: Will efforts make hackers stronger?





  Reader Comments: Hunt Intensifies for Botnet Command & Controls
>>> Be the FIRST to comment on this article!
 


 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 


x}r8qռFsvg]mGJɖk#[^K7SJE1EjIʗٗ?_8x %N&_<[¥4F7?I鸺i9crsk|jx΢>? !d[f0TEK ]Ϥ^-Am۟@t 5vj9:ruz=>;| `OS{SuuɄZIPoQۗ>}^~l .prL⎲Qm_Qk$Ё_MMk9JGD=֥E!m$,oQX|:[ANETƖþM"h4"j>wl3godYǽ (ƻf {iZv[P;Eyah/@Zj#\DȁYBni=?Tݱm6{R'-XdUZL bC6S!1kkTը>lY}@|ݑ|Y#Xo:QA3MuL_C?)$fҀ [8#/yy<ΠE[5'0m_j| uvs<"s~5 rd1KU 6 C p==\'xtTa_dY7;Ͱ-6@6cM-*R<LmrG=.iT%5fE&Ժpi$7SYn0omYn]H.T,>JAf kķLJo$SE@- u k+UykQT[PĿ E/$Li&έZp-Alo K,r5&S{~$M ]5Ŧ]`)exJS$%/\P%P샖_΢[2jFt*軤(If0;A0v\l8d ((sɹw[XL,)σ5[ѽ:?`= 0/ Zm 88ʬE1O![>=`MAjweC97(3x?+1 )@FHH4"BQF T * gs"K@#''@@wO$^I-TbDJOq$uܱ;PKRx%,S,ЂW-KᗄPQf9e2lƪ̈́VANDlPPW)XHl~teٜI8(SA0:AR ~5lwnr XsI$\Z^rbp7 P*VL"Hgˣ7dJ &տl]pREMĽ~[*+'G&,m+^ZrijXL[٠bek-}4ۤ-`@"KjEv~Ia#ףN枏v+kF$؃S FL1j>Lk}\SaWݬ񂠬,9[D ZDň i{<qŁj ZiMf~ r?܎XAu9k+:sD ݼ8 |3PJQlw^.Qi}Wӳ(SnM+^&:&ɣ"CW5dDfbNg• k*w֍sPUSyr=ïjYd wM |&7a*r1?M= [L4Fzɶ0MPgh' ? Yo:AkAyʧ Bd+⇇a9k՝rNC7E$79`ܘGpXoH.ow6vJ85 fS))r*H+UtY/sOYq* 2ƞnRH|X%:iZ<$}eU͛CUX)TԒ/YXnvdή hx;L5Ll'ĠRȣS&,] ?TV<^9=3ק~@L@=tP3[&4ukY*6a2N4Kۄ kfI,G: a*ݔ[Y`'ZU%P-HjYx68PxnXN z@W{W2LʼJJ~}{7Jj$7rQӊ 5`JR'0Lƈ Q@Z: GdQ.|eR)V@o8N3AJ j ;!c8`<"MMXhG?=a?q-491=ZgaG^P(k㜘ڿ~Ъ)l |+" .C7&{^Ca8e~e{?ܴ#R1Y/5.ڝOGx;Ȅuuo_u{~{y[QAZ=kq /*}Uj_6[8"c﮻.Ro50oqV=; r!Cc$=ĸ}/gvj4w5FuZgЁF@~ɁUN~Bh\k_/~v;k~tڗ-)^{%<rL Bjt.Xx G]9ȧͦ5vpR`Ns cf`B)y,f \/x]s:֒TzF_ɾjs9ϐa(a4&G8 Z`!wސ{PRc (ʱ=``VɈfwi|.seN1^SF(+bK)"$DY |Eiio/`ANc1:}Qt"ڿBO/b~C<B<_dxD %'BYGg1\IG~2)iNcr:4-3_"Tc(L,ӤND)gT8PSeo_P:F{8쀒N1{TlOء ]nĶGSf9^)ŔL ir0 GBgJȄf{e5)a5R!MLCYOC/$$f;kBړz{ giMN.m2ϼ Kvn+7; .VH_8_`Op!,GH)fHzBˆ,G<=˪aEbݩci;F\x/w<6Sf eZoP'[gY4/40so8d#ޓd=fT$c<1!h X=ѧ~t ޶a ~UjrŽ&n e5?z}l^ﯣ&=0Yz$AC~glrBE])=lKtڗ_{qO r4]9ndLc!I ɫ׺v7}ʜ9%'+x|52e(o(P2PY:pCҤsccf<ݸ+wk1rji}Q>]bwP(;<_b}[tU"EkF_EK ם8ȁqV#y∶K`#j>b_{+&bi4W;Tj{sLkDxj Yj4&K-]xqŨ`bx?G#o<:Qg5X,*DI-][bO/_{ϮFi)lS/=9q= l访_߶pC}O;Uۺ(0d]nFqujU9aK4G>\B>i6걌.h@گ?u+cq;oĥZUS$cm?s#r 16h(U'U@# @->Urǹ,_^Ku0ص<rc!ex/a`N6>i9::){b7`8z#Cv$ #T4<`߇ʖm= t;>aa15x:"# ? ˾ v~` ӛEEA+%&\+fkOa|#*ay@E Ϭj9`W'gN .> >J%OH&)b"b_sW9l>&Pv{Vm?ew%%!=(ݸTS_:̞? ꚮ9RQd|p8CI7솃H5mDF ^_\>K /Dj;(ϭ0єN,B bg vP"P@hGԳ`;U¢-T^n-La8_RV$$Խ#2WdZ |[Dy:OV)k&䮱dxQQQQ?¨YPbFX~A&|aWq|df'ha-l[yb2A_oަVk_y o?.$KBK=X`q}۝#[l9M/5M;ЏC{}j9/5/{1\w$3[ϞPVy$)BAd 2A? ] T, _ȖbFK&[:u9㴍Q F%^<ňlJJQzz gQ׷.%%JZSגQX9X[YBB}'Nt`:E0g0zX_"|=OgXgJ!iK>ߍߍߍߍbObLSG·wT >{5flˤ@M ֔j*"~YC(_ٰy87fU?QHMܹmJϫ^*+Ĭ6(~{Sݘn56Mu#=WŇܹϝФw:8szܯ>q\=mz Sh:q=!^1!kN$ FޭFYߪ66.}+u[*@Po !XQۛӬ-JV>kRCǚԀmzZqWNaN&5 u %WB*Q QL&'sַ+vҍ] YIO3c}: ]0Dx=9~r䚫m mr7Cv> wc1j_g˧[D^xh̝L-!p KYB/|R͕{[tp=wFI 0۾l_c ٩o/$^m Z1ߦÀm_m><+ T+{lȊhkkٵqdyN;uV.JhJLnhZw>[pu9y{©Yj:&QJE:`/S)c<r63 ؑh`P_E菘Г 5>F eΝkȪ~w_ڋK۪_xģŁAe^t7 UP 'W@>#޳l1EKl\gj  :(.d"!!Tm-;T4n;*=f]=ErU|Po|Պ[Niҡ?:a%f|l9>"OCMwAc:@ܮg8. 2â>&u?>ޘYϟfPm!۟`n3C(y+_9-g(7Otzl _H¢ZtOOM 2E߲ $BtU l?QX2!\6n/͛I~p7^z0lsq̩Tl/ZNRHkcΩZE9TWs.s"HwtAj-biAc2·X31aCRA550j§*z JD(-~0Ƿq7|^3n[7?)Fllz^C`5vX5kڹ}rX+ ~Kmy5Jr557ںsʞqч!F]TXzX um6O~ʤ Odln--aaZ$v\rQ D#'&EbzW 2ĶYhkӀ/]YjJEUP=jfo,v >sIY)J\kg]XcAC &xړGF^Gly rj-ݳItg[5a$f|`΢4p|3sXx[Mw5=szn12vnA3'}CF#?ݹHm+nAY,t:w IXEmJ<\kJ^DIqC<#Թ<׉/?qbSajb`/0L~%U$x[jhwQf1q8 @ɹ莥%5 AS!M Keg~R?o:,=70ra`Zߝ5}bu0kobF .m3FwG#ˠ+S1DEU<11t+PjNTMO0Y=CE3 L ^_\}BA*GѺmxDJ rKb֦uOg5aT0|Lu?nmx+VzM";{ ̊XL t4*$:`m;=wLfROaoLNCRY `Oi$}NK1I P46ύ:nZHv\nzVߺ Ciѝ>W<yS]% YvXRiС0'ߩ1q?G$R좲" 2G6wCyv#ewa-3X^χ\nX|I7ǟo9gkH0jCL9ҔYooZeO9T :}A~b C:΁ nZv>F(<"mG3uǸZs Қ <v\N~cs= xcDRPis a`^r {VĄ1$6_ w@>vWZj !1g昑Gi>'_s 8:* (P,%B\@3,V2A!kC1P/MJ>ls}Mi0qA>0<(SG]ĝ5]qP/wҁ@V pϒwgy:tVQ1e&}j%nwKM ᵈbyN]ƒ $BqнӜhҽ߰eQ5#!uԦF p7@Q력2Dj GM*7aN{CJe NF{+ O@.w3󛀃f+#O~2.>@\>͌|_;hi_fC2?Aɀ]"c~.`Y\d1 ϋ ȠOˌ_~7[F_d^f%e\]f_O7CtAt3U}\A@?Ӄ2߃2g_>dG1|ߛ o2ڿɠZ'I72qS*R~A/2ȋ৬|B]eB~<++A/Ӯw3 ث < 3_2 ̵T_Wfr_!4.5Pk oYY<뵊cn%m:v B__V<-t&j\eʣf(+@J~@q37>RqFPc^u^ e3jkDg>'[ j*85ߚQu8 % ~H-M3wN08a箩-g7xF mqocus`:Hn6J墦 V˕R;qO+F$ô߹7_TMVYI2ZY9,+ QPB4L۰W)Y7tSskFG>5]1,D æᄽNگ!Ď` }3wP}oqr=s] YN4Mܹ?|NEzI2ؐCXMlI]'C']QL<0 ? 3y Ʊ XGP{cPr P _HIoCMW } v.LEUzqv;—#8,^bYđE cl;`XC-k'lybb+uԿciC_K_Βc̓~@}fI\=u{ĊT{aw9./]C?Hx qp p_'¤],lN%7.sn`5cpe3 î70m&Ĥ?I[E{=0&F#Fo 9݌ ū*aсYk{nD8;-i5|vq[|0~]@8> d:#o6.ώ{;]9!5 Wuu7L?Q'/R^ۍv~iX(1.Xx^7D6^aޟ y&zx D亂mvKT>IbHq@>avEE~!KG ϻyHj(t߅ϩnC A{g^_v܅eNVhJm;)Ƶd2-1O`Xc \}wHv&,t>;/uԝU Cr 恜2њ>|^чee d|%_OxƮ~[axs%dGxM-IU`c^gʍt/Ast2Z43@FOD07"im.#sEt%(Xp^'A֮lsw6E-DdGx kok5gxϷ;<v7 ͇OVy؋(v/-(' yvJ^Q.u tleb @J< 73TT %` GYU`+8u JѪV"60q۷Pl@xQ bLaգv)E9b릍\QpCؕE'dsk'gymE]Y>Ѝ503#5cgb@xVOmүy~{C#> }vxe .VsFyej ٞջHR#z3 味0,BL IQy6;|,ݐbZQԮ;'R:4sh{۟s\THՇl߇jF7\ dZ\K>مu&;k9ώK~>t frs*]_7Nb‚_ydɅ^_YG/XMZzk/oߙ Y/5.ڝOGܥ|;hyx8k 3JdbQx'ξiߝVdv;, mݸ'﮻.RXF^zI2f+ AHcf] >ֳ/ .N|>Gy6xT2kV* wN|VtƦI21qzr{㸡L셫Qbm٦dUi29J}) q+˅4>%f[96aNw6~̈́M>&Şve}C~bg(